Skip to content

ci(stack): blocking FTA complexity gate for EQL v3#539

Merged
tobyhede merged 2 commits into
feat/eql-v3-text-search-schemafrom
feat/eql-v3-fta-ci
Jul 2, 2026
Merged

ci(stack): blocking FTA complexity gate for EQL v3#539
tobyhede merged 2 commits into
feat/eql-v3-text-search-schemafrom
feat/eql-v3-fta-ci

Conversation

@tobyhede

@tobyhede tobyhede commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

What

Adds a blocking per-package complexity gate using FTA (Fast TypeScript Analyzer), scoped to the new EQL v3 text-search schema source only.

Stacked on feat/eql-v3-text-search-schema.

Why

Nothing in the repo currently guards code complexity (Biome = lint/format, tsc/vitest = types/tests). This catches complexity regressions in the v3 schema before they land. Starting with v3 as the per-package template; more packages can be added as sibling workflows/scripts later.

Changes

  • Pin fta-cli@3.0.0 as a @cipherstash/stack devDependency. Delivered via pnpm install --frozen-lockfile + a package script — no pnpm dlx/npx, matching the repo's supply-chain policy (minimumReleaseAge, blockExoticSubdeps). 3.0.0 (published 2025-07-25) clears the 7-day quarantine.
  • Add script: analyze:complexityfta src/schema/v3 --score-cap 72. Current v3 score is 71.08, so the tight cap blocks essentially any regression.
  • Add .github/workflows/fta-v3.yml: paths-filtered (packages/stack/src/schema/v3/**, packages/stack/package.json, the workflow file), blacksmith-4vcpu-ubuntu-2404, contents: read. FTA is static source analysis, so no build / DB / credentials. Non-zero exit fails the check (no continue-on-error).

Verification

  • pnpm install --frozen-lockfile — consistent
  • analyze:complexity pass case (71.08 vs cap 72) → exit 0
  • Fail case (--score-cap 60) → exit 1
  • lint:runners, lint:workflow-cache, test:scripts — all pass

Notes

  • Tight cap (72): a legitimate v3 refactor may trip it — bump the number in the script when that happens.
  • Required check: if made a required status check in branch protection, the paths: filter means PRs not touching v3 will show it pending — add a shim job or drop the filter if that bites.

@tobyhede tobyhede requested a review from a team as a code owner July 1, 2026 04:50
@changeset-bot

changeset-bot Bot commented Jul 1, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: dce9884

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5d641c2d-6a94-4785-aad1-bdb86350b369

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/eql-v3-fta-ci

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

tobyhede added 2 commits July 1, 2026 19:55
The v3 encrypt config keys columns by DB name (`column.getName()`), but the
shared model path matched user models against those DB-name keys while models —
and the typed model types — are keyed by JS property. For any column whose JS
property differs from its DB name (e.g. `createdOn: encryptedDateColumn(
'created_on')`) the field never matched, so `encryptModel` silently stored it as
PLAINTEXT and `decryptModel` skipped `Date` reconstruction.

Add `BuildableTable.buildColumnKeyMap()` (property -> DB name), implemented by
v3 `EncryptedTable`, and route the model path through `resolveEncryptColumnMap()`:
match models by JS property, address the FFI/config by DB name. `reconstructRow`
now keys dates by property. v2 tables omit the map and fall back to identity, so
v2 behavior is unchanged.

Rework the schema-v3 date round-trip to exercise the typed `decryptModel` Date
reconstruction (single-value `decrypt` returns an ISO string by design, so the
old strict `toEqual(Date)` could never hold), and add regression coverage:
- non-live: `resolveEncryptColumnMap`/`buildColumnKeyMap` mapping and a
  property-vs-DB-name `reconstructRow` case via the fake-client harness;
- live: property-vs-DB-name model encrypt (no plaintext leak) + decrypt.

Also drop the int8 (bigint) domain from the v3 SDK surface until the native FFI
round-trips bigint losslessly, removing the now-dead bigint reconstruction path.
Add a per-package Fast TypeScript Analyzer (fta-cli) gate scoped to the
EQL v3 text-search schema source (packages/stack/src/schema/v3). The gate
fails CI when any v3 file exceeds the FTA score cap.

- pin fta-cli@3.0.0 as a stack devDependency (repo installs tooling via
  frozen-lockfile; no pnpm dlx/npx per supply-chain policy)
- add analyze:complexity script: fta src/schema/v3 --score-cap 72
  (current v3 score is 71.08, so the cap blocks regressions)
- add paths-filtered blocking workflow .github/workflows/fta-v3.yml;
  no build/DB/credentials needed (FTA is static source analysis)
@tobyhede tobyhede force-pushed the feat/eql-v3-fta-ci branch from 83649f8 to dce9884 Compare July 2, 2026 02:42
@tobyhede tobyhede merged commit df8d639 into feat/eql-v3-text-search-schema Jul 2, 2026
7 checks passed
@tobyhede tobyhede deleted the feat/eql-v3-fta-ci branch July 2, 2026 03:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant